• December 20, 2014

Colleges Warily Turn Sensitive E-Mail Over to Outside Companies

The sour economy is leading some colleges to adopt free e-mail services from Google or Microsoft for their official faculty and administrative accounts. So when the president of Abilene Christian University or Boise State University gets e-mail from a donor or a professor, the messages are stored on servers beyond the universities' control.

Colleges began trying such free services for students a couple of years ago, but most college technology leaders thought they would never put their most sensitive accounts on the systems as well.

But in the past year a few colleges have made the switch campuswide, and technology officials at other colleges say they may soon do the same.

The move is delivering real savings (about $1-million at Temple University since the institution moved most of its professors and administrators to Google's service in the spring), but it is raising concerns among college lawyers who worry about losing control of data—and wonder whether outside companies will safeguard student grades and sensitive research, and keep colleges from violating federal privacy laws.

Outsourcing e-mail is especially tempting. Colleges aren't that good at this service anymore—they can't match the mailbox sizes that free services offer, and they struggle to keep up with security patches that block hackers.

And the latest e-mail services from Google and Microsoft do more than just e-mail—they include instant messaging, online word processing, Web-based spreadsheets, and more. Google calls its suite for colleges Google Apps Education Edition, and Microsoft's is Live@edu. Colleges cannot afford to build services like those on their own, so technology departments increasingly use Web-based "cloud computing" programs from specialized companies, rather than software housed on a personal computer.

"We're not the authority anymore," Sheri Stahler, Temple's associate vice president for computer services, told me last week, saying that she has seen her job change in the past couple of years. She said professors often "go out and do whatever" with free services online and come to IT asking for advice only when they hit a snag.

But is giving up control of e-mail going too far?

A High-Profile Outage

On September 1, just as many colleges started their fall semesters, Google's worldwide e-mail service stopped working. That left more than 145 colleges that have made Gmail their official communication service with no e-mail at a time when students were trying to drop classes or contact their advisers with pressing questions. The service was unavailable for about an hour and a half, in the middle of the day.

But college leaders I talked with mostly shrugged off the outage, saying that all e-mail systems go down from time to time, no matter who operates them, and that Google's overall record is still better than the colleges can do themselves.

"I'm not making light of it, but at the same time you're going to have outages," said James Langford, director of Web integration and programming at Abilene Christian University, which uses Google's service for its student, faculty, and staff e-mail accounts. "We're still very satisfied with the level of service."

Late last week, Brown University reported a snafu in transferring student e-mail accounts to Google's service: 22 students mistakenly received mail intended for others, though the problem was quickly resolved. Google officials said that a small number of other colleges had similar problems.

Those incidents get at the tThe toughestr questions for college officials, which involve privacy and security involve policy rather than service. Two terms in particular get college lawyers nervous. One is Ferpa, the abbreviation for the Family Educational Rights and Privacy Act, the federal law that requires colleges to safeguard student records like grades and contact information. The other is electronic discovery, the process institutions go through when e-mail and other digital records are subpoenaed during legal proceedings.

Ferpa looms larger, said Steven J. McDonald, general counsel at the Rhode Island School of Design, who has been tracking the issue, because it covers e-mail between professors and students. The law says that a college is allowed to hire a third party to handle such rec ords, but those third parties cannot do anything with those rec ords beyond what the college would, says Mr. McDonald.

The question is whether Google or Microsoft would "mine" the e-mail messages of professors to fine-tune the companies' search algorithms, he said, which could be considered a violation of Ferpa.

The other question is whether college officials can quickly call up official e-mail messages if faced with a court order—or whether they are in a position to try to shield such records from discovery in certain cases.

Both companies have worked hard to answer such concerns. A few months ago, Google added language to its basic contract with colleges that spells out how its policies and practices conform with Ferpa. Microsoft makes similar assurances. And both companies say they have added administrative features to help campus administrators protect student records.

Different college officials seem to have different interpretations of what Ferpa or other laws require when it comes to the electronic records of employees, and whether the companies' recent changes satisfy the law. That could explain why some colleges have jumped in with faculty and staff accounts while others have held back.

Gordon Wishon, chief information officer at the University of Notre Dame, said the institution recently adopted Google for student e-mail but was still deciding whether or not to add all faculty and staff e-mail to the system (it has already added some professors who requested accounts). Universities are cautious by nature, he said, and "once data's off the campus, you really have very few ways of knowing how the data is being protected, how it's being controlled, and who has access to it."

Officials at the University of Minnesota-Twin Cities say they feel comfortable having professors and administrators, as well as students, on Google's system. But as they roll out the service this fall, they consider faculty and staff accounts an experiment, and they are letting each professor and administrator decide whether to switch to the Google service or to keep the university-run e-mail. "We're kind of putting our toe into the water this fall," said Bernard S. Gulachek, senior director of strategy management for technology at the university.

Voting With Their Feet

Whether or not colleges sign up with Google or Microsoft, many professors use the companies' free mail and document services anyway. (They are often pulled into the services because students use them, making them convenient tools for class assignments.) So by negotiating contracts and setting up an official relationship, the college may be on firmer legal ground than it was before, said Mr. Gulachek.

Professors "had opted into Google's terms of agreement without the terms having been vetted through the office of the general counsel," he said. "Those Google agreements aren't the same terms as we're getting in our contract."

What do the companies get out of giving away accounts to professors and administrators? Students are a key marketing demographic that both companies want to win over at a young age, but why give services to gray-haired professors?

Jeff Keltner, a business development manager at Google, said that the main reason is to be able to show off the power of its collaborative tools in educational settings. To get those "positive-use cases," both professors and students needed to have accounts in the system, he said.

The company also tries to get colleges that set up faculty and staff accounts to buy Postini, a product it sells to help manage and archive e-mail (and which offers controls that can also help campuses comply with public-records laws that require, say, state universities to keep e-mail on file for a set time rather than deleting it). Mr. Keltner said Google offers a 66-percent discount on Postini to colleges that use Google Apps Education Edition.

Anna Kinney, director of Microsoft's Live@edu service, said that a few colleges using it have put faculty and staff accounts on the free system in addition to student accounts, though she declined to name specific campuses.

She said that Microsoft considers Live@edu "our student offering," and that she typically recommends that colleges pay for a more restrictive system like Microsoft Exchange Server for their faculty and staff e-mail services. "It has that deep, rich set of controls and compliance settings that you might want for that audience," she said. She said the company does offer a version of Exchange hosted by Microsoft rather than on the campus, and that the option can save colleges money.

Microsoft's pitch to colleges, she said, is that its products, like Word and Outlook, are the software programs that students are most likely to encounter in their jobs after college. "They're doing their schoolwork in the tools and technologies that they'll use in the workplace, and that's getting them more employable and more ready for the workplace," she said.

Google, meanwhile, seems to have signed up more colleges in the United States than has Microsoft, and in some cases it is taking over campus e-mail services that used to run on Microsoft products. One college administrator said that on the day the institution announced that it had chosen Google Apps Education Edition, Microsoft officials flew in a team of employees to try to persuade the college to change its mind.

College officials say that campus politics can also play a role in keeping faculty and staff e-mail in-house. Some people just don't like the idea of that donor's e-mail message falling outside the control of the development office.

"That raises eyebrows," said Mr. Gulachek, "but then they realize, that's already going on today." He said that the truth is that colleges, just like most businesses these days, are doing that kind of outsourcing. "Colleges are going out and contracting with private marketing firms already. They're sending their mail and putting their donor data on systems that are not managed by the university already. That's the reality that we're facing today."

Fretting About Faculty and Staff E-Mail

Many colleges have been reluctant to turn faculty and staff e-mail over to companies like Google and Microsoft. Here's why:

  • Security: Colleges like to think they can hold onto data better than anyone else. When a sensitive e-mail message from a professor is made public, no one cares wether or not the college made the mistake or whether it was a hired company—the college's reputation is still damaged.
  • Ferpa (the Family Educational Rights and Privacy Act): The federal law that protects student records covers e-mail messages that professors or administrators send to students. So faculty and staff e-mail accounts are full of files that colleges must keep private.
  • E-Discovery: What would Google or Microsoft do if a professor's e-mail on its system was subpoenaed as part of a lawsuit? Outsourcing raises that question and more.

College 2.0 explores how new technologies are changing colleges. Please send ideas to jeff.young@chronicle.com.

Comments

1. bobfutrelle - September 21, 2009 at 05:32 am

I'm using Google Docs for my two undergraduate courses in computer science. All course pages are published Google Docs. All assignments, including added images and drawings by the students are shared with me and my teaching assistant / grader. The grader develops her comments and grades in a separate Google Doc which she shares only with me. If they're OK, she pastes them into the students' assignments, in red type. The moment she does that, the student can see the grade and added text. That is, I and the TA both have edit privileges for the student handins.

At the start of each course, each student copies a Google Doc that is an information form about them, e.g., past courses, work experience, interests, etc. Their university IDs do not appear in these or any of the other docs related to the course. They're only in my grading sheet, a Google Spreadsheet.

I have good friends in important positions in Google and I trust their skills at handling the issues that can arise with outsourcing. I'm doing all this as an experiment.

So far it's working, and working well.

I also created new and separate Gmail accounts for myself, one specific to each course. Otherwise, my normal mail would be flooded with about 500 emails from the students during the semester, each announcing the completion of one assignment, with a link to it. I have mailing list groups in Gmail, for all the students in each course.

In my research group, we have created and shared about 400 Google Docs over the last three years. Over a longer period, I have accumulated about 20,000 Gmails as well as trashing many more than that.

I can search Google Docs and Gmail and get results in a flash, a wonderful (powerful) aspect of Google's system.

If there is a serious administrative matter, e.g., did two students collaborate too closely on an assignment, I use the university mail system for that.

- an associate professor of computer science

2. jesor - September 21, 2009 at 07:06 pm

This article fails to mention one security principle that has protected academia well over the years. Most smaller institutions have had few if any true attacks on their systems because they are hard to find, small targets with little value to hackers. While small relatively vulnerable systems are hacked on a regular basis, the liklihood of any one system being compromised is relatively low. Sort of like a Robin Hood hiding in a forest full of other Robin Hoods. Google on the other hand is a large, well fortified target, that repels near constant attacks successfully. There's a low likelihood of success, but a lot to be gained, sort of like King Arthur in his castle. Both techniques can be effective. (I guess I could have used a Rhino vs. Wildabeast analogy, but you get the point)

3. backes - September 22, 2009 at 01:03 pm

It doesn't really matter how much you trust Google or Microsoft. The new FERPA regulations (taking effect January 2009) require institutions to have control over those that handle student records for us. That control means a contract with language that make the vendor (in this case MS or Google) responsible for following FERPA and not using the data for anything we wouldn't. To date, I've only seen one contract that includes that (it was MS) and it wasn't signed. It will be interesting to see if MS and Google step up and provide that kind of assurance for free, or if they will start charging.

4. mikerichichi - September 23, 2009 at 04:35 pm

How was Temple spending over $1 million in less than a year on providing email?

5. cisdept - September 23, 2009 at 04:49 pm

This article does not mention that Google puts ads on the gmail site. As long as someone is a student s/he won't see ads, but faculty and staff do get ads, and as soon as the student graduates or stops attending, the former student gets them, too. The point of mining the email messages is to find words within them for targeting particular ads to particular individuals. THAT's what's in it for the provider and some people think that is an unacceptable invasion of privacy.

6. paievoli - September 28, 2009 at 09:25 am

cisdept
Couldn't agree more. And it won't stop and you are giving that revenue stream away for nothing. You could have free email and share the revenue instead of making Google richer. Your revenue could be used for donations, grants, scholarships.
The adv. could be content appropriate without being intrusive.
Not all advertising is evil. Just usually the ones that state "do no evil".

Add Your Comment

Commenting is closed.

subscribe today

Get the insight you need for success in academe.